OUD and Referral Management with AD

Oracle Unified Directory(OUD) can be configured as a proxy to Active Directory (AD).
For instance, it is possible to define a Remote LDAP Extension in OUD pointging to Root Catalog of AD 2008.

Searches to AD would return referrals, so the appropriate OUD Network group can to be modified to  follow referrals automatically with the command below:

/dsconfig -h localhost -p 4444 -D “cn=directory manager” -j ~/.pwd  -X -n set-network-group-qos-policy-prop –group-name network-group –policy-type referral –set referral-policy:follow

In some cases, a ldapsearch with a basedn which is not local to the root catalog still returns referrals to another AD Server.
OUD reports the following error:

SEARCH operation failed
Result Code:  1 (Operations Error)
Additional Information:  Unable to process the operation because a referral leading to an unknown or disabled ldap-server example.com:389 was received

This error is specific to AD because AD builds referrals as follow: ldap://example.com/CN=Configuration,DC=example,DC=com.  Example.com does not systematically correspond to a LDAP host declared in the OUD proxy configuration. For security reasons, OUD follows referrals to hosts explicitely declared as LDAP server extensions in the OUD proxy configuration.

To make sure OUD is able to chase referrals, define a new ldap-server-extension with remote-ldap-server-addressproperty set to example.com and remote-ldap-server-port set to 389. In this case, creation of a proxy workflow element is not required for this ldap-server-extension. More on ldap-server extensions at http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/proxy_config.htm#solCREATING-AN-LDAP-SERVER-EXTENSION

Creating a new naming context in OUD

A naming context (also known as a directory suffix) is a DN that identifies the top entry in a locally held directory hierarchy.

A new naming context can be created using ODSM, the OUD gui admin console, as described inhttp://docs.oracle.com/cd/E29407_01/admin.111200/e22648/server_config.htm#CBDGCJGF

It can also be created using the dsconfig command line as described below: Creation of a new naming context consists in 3 steps:

First create a Local Backend Workflow element (myNewDb in this exemple) ,  responsible for the naming context base dn, e.g o=example.
dsconfig create-workflow-element \
–set base-dn:o=example \
–set enabled:true \
–type db-local-backend \
–element-name myNewDb \
–hostname <your host> \
–port <admin port> \
–bindDN cn=Directory\ Manager \
–bindPasswordFile ****** \

Second, create a Workflow element (workFlowForMyNewDb in this exemple) associated with the Local Backend Workflow element. WorkFlow elements are used to route LDAP requests to the appropriate database, based on the target base dn.

dsconfig create-workflow \
–set base-dn:o=example \
–set enabled:true \
–set workflow-element:myNewDb \
–type generic \
–workflow-name workFlowForMyNewDb \
–hostname <your host name> \
–port <admin port>\
–bindDN cn=Directory\ Manager \
–bindPasswordFile ****** \

Then, the workflow element must be made visible outside of the directory, i.e added to the internal “routing table”. This is done by adding the Workflow to the appropriate Network Group. A Network group  is used to classify incoming client connections and route requests to workflows.

dsconfig set-network-group-prop \
–group-name network-group \
–add workflow:workFlowForMyNewDb \
–hostname <your hostname> \
–port <admin port>\
–bindDN cn=Directory\ Manager \
–bindPasswordFile ****** \

At that stage, it is possible to import entries to the new naming context o=example.

Migrating SSL Certificates to OUD

By default, self-signed certificates are automatically asssigned to OUD instances.

In some cases, you might want to reuse a DSEE server certificate for the new OUD instance, so that the migration is transparent for SSL clients. Note that this might require installation of the OUD instance on the same box as the DSEE depending on SSL certificate options used.

If you want to have your OUD instance reuse the SSL servert certificate,  perform the following steps

1. export the DSEE server certificate to a PKCS12 file (e.g dsee.p12) as described in the ODSEE admin guide
The exact procedure may depend on the DSEE release. On DSEE 6.x, DSEE 7.x and ODSEE, run the command below:

    dsadm export-cert -o dsee.p12  <instance_path> defaultCert

Note: By default, the alias of the DSEE server cert is defaultCert. Use the appropriate alias in case you choosed to use another value.

2. copy the PKCS12 file to <OUD_INSTANCE>/config

3. create a pin file containing the pkcs12 file password e.g. dsee.p12.pin in the <OUD_INSTANCE>/config directory

At that stage, the DSEE server certificate can be imported in the OUD instance in 2 different ways:
– either configure a PKCS12 OUD keystore pointing to the file exported from DSEE
– import the DSEE certificate to the default JKS OUD keystore

To configure a OUD PKCS12 keystore, perform the following steps:

4.1 Configure the PKCS12 keystore

dsconfig set-key-manager-provider-prop \
–provider-name PKCS12 \
–set key-store-file:config/dsee.p12 \
–set key-store-pin-file:config/dsee.p12.pin \
–set enabled:true \

4.2 Configure the LDAPS connection handler to use the pkcs#12 keystore

dsconfig set-connection-handler-prop \
–handler-name LDAPS\ Connection\ Handler \
–set key-manager-provider:PKCS12 \

To import the DSEE certificate key pair to the existing OUD JKS keystore, perform the following steps:

5.1 Locate the JAVA_HOME of the jvm used by OUD

The version of the JVM used is displayed at startup in the OUD error log

5.2 Run the following command to import the DSEE certificate

JAVA_HOME/bin/keytool -v -importkeystore -srckeystore <Path to PKCS12 cert file exported from DSEE>  -srcstoretype PKCS12 -destkeystore <OUD_INSTANCE_DIR>/OUD/config/keystore  -deststoretype JKS

When prompted, specify the JKS pin (available in <OUD_INSTANCE_DIR>/OUD/config/keystore.pin  and the PKCS12 pin you used to export the DSEE server cert

5.3 Check import

To list the content of the OUD JKS keystore, use the following:

    JAVA_HOME/bin/keytool -list -keystore <OUD_INSTANCE_DIR>/OUD/config/keystore

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries

defaultcert, Aug 29, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 10:63:DC:B5:6B:C8:F3:A0:6B:A7:23:9E:0B:EA:9C:30

server-cert, Aug 29, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): BE:C9:F3:8A:49:98:96:15:EF:AC:B4:08:6F:76:FB:05

By default, the DSEE server cert alias is defaultcert.
By default, the OUD server cert alias is server-cert.
By default, OUD let java  automatically choose the best server-cert amongst those present in the keystore. If you want to force the use of  one certificate, do the following:

dsconfig set-connection-handler-prop \
–handler-name LDAPS\ Connection\ Handler \
–set ssl-cert-nickname:defaultcert \